# {{output.header}}
# {{{output.link}}}

# this configuration requires mod_ssl{{#if form.hsts}}{{#if form.ocsp}}, mod_socache_shmcb{{/if}}, mod_rewrite, and mod_headers{{else if form.ocsp}} and mod_socache_shmcb{{/if}}
{{#if form.hsts}}
<VirtualHost *:80>
    RewriteEngine On
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>

{{/if}}
<VirtualHost *:443>
    SSLEngine on
{{#if (minver "2.4.8" form.serverVersion)}}
  {{#if output.usesDhe}}

    # {{output.dhCommand}} >> /path/to/signed_cert_and_intermediate_certs_and_dhparams
    SSLCertificateFile      /path/to/signed_cert_and_intermediate_certs_and_dhparams
  {{else}}
    SSLCertificateFile      /path/to/signed_cert_and_intermediate_certs
  {{/if}}
{{else}}
    SSLCertificateFile      /path/to/signed_certificate
    SSLCertificateChainFile /path/to/intermediate_certificate
{{/if}}
    SSLCertificateKeyFile   /path/to/private_key
{{#if (minver "2.4.17" form.serverVersion)}}

    # enable HTTP/2, if available
    Protocols h2 http/1.1
{{/if}}
{{#if form.hsts}}

    # HTTP Strict Transport Security (mod_headers is required) ({{output.hstsMaxAge}} seconds)
    Header{{#if (minver "2.0.0" form.serverVersion)}} always{{/if}} set Strict-Transport-Security "max-age={{output.hstsMaxAge}}"
{{/if}}
</VirtualHost>

# {{form.config}} configuration, tweak to your needs
{{#if (minver "2.3.16" form.serverVersion)}}
SSLProtocol             all {{#unless (includes "SSLv3" output.protocols)}}-SSLv3{{/unless}}
                            {{~#unless (includes "TLSv1" output.protocols)}} -TLSv1{{/unless}}
                            {{~#unless (includes "TLSv1.1" output.protocols)}} -TLSv1.1{{/unless}}
                            {{~#unless (includes "TLSv1.2" output.protocols)}} -TLSv1.2{{/unless}}
{{else}}
SSLProtocol             all -SSLv2 {{#unless (includes "SSLv3" output.protocols)}}-SSLv3 {{/unless}}{{#unless (includes "TLSv1" output.protocols)}}-TLSv1{{/unless}}{{#unless (includes "TLSv1.1" output.protocols)}} -TLSv1.1{{/unless}}{{#unless (includes "TLSv1.2" output.protocols)}} -TLSv1.2{{/unless}}
{{/if}}
{{#if output.ciphers.length}}
SSLCipherSuite          {{{join output.ciphers ":"}}}
{{/if}}
SSLHonorCipherOrder     {{#if output.serverPreferredOrder}}on{{else}}off{{/if}}
{{#if (minpatchver "2.2.30" form.serverVersion)}}
SSLSessionTickets       off
{{/if}}
{{#if (minver "1.0.2l" form.opensslVersion)}}
  {{#if (minver "2.4.11" form.serverVersion)}}
SSLSessionTickets       off
  {{/if}}
{{/if}}
{{#if form.ocsp}}
  {{#if (minver "2.4.14" form.serverVersion)}}

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
  {{/if}}
{{/if}}